mcoops / deplist Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
License: Apache License 2.0
Usually Java project dependencies are managed with Maven. In that case a pom.xml will be found at the root of the project. Running mvn --no-transfer-progress dependency:tree
will print the direct and transitive Java dependencies.
The maven
package needs to installed to provide the command mvn
.
Here is some sample output:
--- maven-dependency-plugin:2.8:tree (default-cli) @ hive-shims-common ---
[INFO] org.apache.hive.shims:hive-shims-common:jar:2.3.3
[INFO] +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.6.2:compile
[INFO] | \- org.apache.logging.log4j:log4j-api:jar:2.6.2:compile
[INFO] +- com.google.guava:guava:jar:14.0.1:compile
[INFO] +- org.apache.hadoop:hadoop-client:jar:2.7.2:compile
[INFO] | +- org.apache.hadoop:hadoop-common:jar:2.7.2:compile
[INFO] | | +- commons-cli:commons-cli:jar:1.2:compile
[INFO] | | +- org.apache.commons:commons-math3:jar:3.1.1:compile
[INFO] | | +- xmlenc:xmlenc:jar:0.52:compile
[INFO] | | +- commons-httpclient:commons-httpclient:jar:3.0.1:compile
[INFO] | | | \- junit:junit:jar:4.11:compile
[INFO] | | | \- org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] | | +- commons-codec:commons-codec:jar:1.4:compile
[INFO] | | +- commons-io:commons-io:jar:2.4:compile
[INFO] | | +- commons-net:commons-net:jar:3.1:compile
[INFO] | | +- commons-collections:commons-collections:jar:3.2.2:compile
In Go 1.14 the default for go list
was changed to detect the presence of a vendor directory automatically and use it for resolving dependencies. This library fails to do that for such a module.
We could detect the presence of go.mod and vendor/ and set GOFLAGS=-mod=vendor when both a present forcing go list
to use the dependencies in the vendor/ directory to solve modules in go.mod. Eg cfg.Env = append(os.Environ(), "GOFLAGS=-mod=vendor")
from go/packages#Config
If there's no yarn.lock file, instead run npm list to use the package.json/lock instead.
$ git clone [email protected]:openshift/thanos.git
$ cd thanos
$ deplist .
fork/exec /home/prodsec/sfowler/.local/bin/yarn: exec format error
$
Hi,
I am using go version go1.15.15 linux/amd64 which is the latest version on Fedora 33 base repository.
When I try to make or otherwise use deplist, I get this error:
internal/scan/ruby.go:19:18: undefined: os.MkdirTemp
make: *** [Makefile:4: build] Error 2
I was able to work around this by going to
Line 19 in 783af3b
gemPath, err := ioutil.TempDir("", "gem_vendor")
plus of course adding the import for io/ioutil
.
I discovered this after locating: golang/go#42026 . Seems Go 1.16 is required. Just wanted to mention it.
When multiple jar files are encountered and they all report the same dep, at the moment deplist will report duplicates. Does de-dup at the single jar file layer, but needs to be also be moved up higher so the main loop can track only unique entries.
This will allow deduplicating for all langs.
Using cargo tree or some variant also support rust vendoring:
We can't assume that the requirements.txt
file is at the top level. With the filtering put in place to ignore docs
, tests
it should be ok to now look for it anywhere.
If there is no yarn.lock
or package-lock.json
, then process the node_modules directory manually.
Along the lines of:
for modules in node_modules./* {
output = append(output, {modules[name] modules[version]})
}
This should also account for any transient dependencies too by processing everything in the main node_modules directory.
Not sure yet the best way to approach this, but prob the safest will be to just apply this logic recursively i think, that should be ok and give the best results.
Environment markers in Python requirements files can result in the version being incorrect gathered from the marker. Eg:
unittest2==0.5.1; python_version == '2.6'
Results in dependency being identified as:
{Name:unittest2==0.5.1; python_version Version: '2.6' NVR:unittest2==0.5.1; python_version @ '2.6' Ecosystem:pypi}
Adding .ear, .adm Java archive file format to be supported.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.